F/6  9/2 


'/  AO-A090  487  MARYLAND  UNIV  COLLEGE  PARK  DEPT  OF  COMPUTER  SCIENCE 
.  A  comparative  analysis  of  FUNCTIONAL  CORRECTNESS. (U> 

AUG  80  D  D  DUNLOP*  V  R  BASILI  F49620-80-C-0001 

UNCLASSIFIED  TR-921  NL 


AD  A09048 7 


UNIVERSITY  OF  MARYLAND 
COMPUTER  SCIENCE  CENTER  / 

COLLEGE  PARK,  MARYLAND 
20742 


4M****4  for  public  release; 

80*“W9f*tt,02  4 


9). 


£  COMPARATIVE  ANALYSIS  OF 
FUNCTIONAL  CORRECTNESS**—^ 


Douglas  D.^ Dunlop  acni  Victor  R.^Basili 


Department  of  Computer  Science 
University  of  Maryland 
College  Park,  MD  20742 


* 


♦Research  supported  in  part  by  the  Air  Force  Office  of  Scientific 
Grant  flMMHHHBHIHHB 

©WUJlO-tO-C'OOOl 

Copyright  1980  by  Douglas  D.  Dunlop  and  Victor  R.  basil! 


ABSTRACT 


The  lunctional  correctness  technique  is  presented  and  explained. 

An  implication  of  the  underlying  theory  for  the  derivation  of  loop 
invariants  is  discussed.  The  functional  verification  conditions  concerning 
program  loops  are  shown  to  be  a  specialization  of  the  commonly  used 
inductive  assertion  verification  conditions.  The  functional  technique 
is  compared  and  contrasted  with  subgoal  induction.  Finally,  the  diffi¬ 
culty  of  proving  initialized  loops  is  examined  in  light  of  the  inductive 
assertion  and  functional  correctness  theories. 
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1.  Introduction 


The  relationship  between  programs  and  the  mathematical 
functions  they  compute  has  long  been  of  Interest  to  computer 
scientists  [McCarthy,  1963;  Strachey,  19663,  More  recently, 
[Mills,  1972 •  19753  has  developed  a  model  of  functional 

correctness,  i,e*  a  technique  for  verifying  a  program  correct 
with  respect  to  an  abstract  functional  specification.  This 
theory  has  been  further  developed  by  CBesu  6  Misra,  1975;  Misra, 
19783  and  now  appears  as  a  viable  alternative  to  the  inductive 
assertion  verification  method  due  to  [Floyd,  1967;  Moore,  19693, 
In  order  to  describe  the  functional  correctness  model,  we 
consider  a  program  P  with  variables  vl ,  v2 ,  ,,,  ,  vn.  These 

variables  may  be  of  any  type  and  complexity  <e»g«  reals, 
structures,  files,  etc,)  but  we  assume  each  vi  takes  on  values 

from  a  set  di.  The  set  D  *  dl  *  d2  *  ,,,  x  dn  is  the  dill  SCi£fi 

for  P;  an  element  of  D  is  a  dm  Itilt*  A  data  state  can  be 

thought  of  as  an  assignment  of  values  to  program  variables  and  is 

written  <c1 ,c2 , , , , , cn >  where  each  vi  has  been  assigned  the  value 
c  i  i n  di  , 

The  effect  of  a  program  can  be  described  by  a  function 

f:0->D  which  maps  input  data  states  to  output  data  states.  If  P 
is  a  program,  the  function  computed  by  P,  written  CP3,  is  the  set 
of  ordered  pairs  ((X,V)  I  if  P  begins  execution  in  data  state  X, 
P  will  terminate  in  final  state  v>.  The  domain  of  [P3  is  thus 
the  set  of  data  states  for  which  P  terminates. 

If  the  specifications  for  a  program  P  can  be  formulated  as  a 
data  state  to  data  state  function  f,  the  correctness  of  a  program 
can  be  determined  by  comparing  f  with  [P3«  Specifically,  we  say 
that  P  computes  f  if  and  only  if  f  C  [P3.  That  is,  if  f(X>  *  Y 

for  some  data  states  X  and  V,  we  require  that  (P3<X)  be  defined 

and  be  equal  to  Y.  Mete  that  in  order  for  P  to  compute  f,  no 
explicit  requirement  is  made  concerning  the  behavior  of  P  on 
inputs  outside  the  doaain  of  f, 

1 :  Consider  the  simple  program 

p  =  Xtliit  •  >  0  dfi 
b  : *  b  •  a; 
a  :  *  a  -  1 
fid* 

The  function  computed  by  the  program  can  be  written  as 

[P3*<(<a,b>,<0,b*a?>>  I  a>«0)  U  ( (<a,b>,<a,b>)  I  a<0>. 

Thus  if  a  is  greater  than  or  equal  to  zero,  the  program  maps  a 
and  b  to  0  and  b*a!  respectively,  otherwise  the  program  performs 
the  identity  mapping.  As  a  notational  convenience,  we  often  use 
conditional  rules  ard  data  state  to  data  state  "assignments" 
(called  lfiO£UE£tOi  iiiifiOIC£lS>  to  express  functions.  In  this 
notation  we  have 

[PJ  *  (a>«0  ->  a,fc  :*  0,b*a?  ITHUE  •»  a«b  :*  a,b>« 
finally,  if  we  are  given  f  *  (a>*0  ->  a,b  :«  0,b*a!)  as  the 


function  to  be  co*puted« 
a  subset  of  IP], 
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2*  The  functional  Correctness  Technique 


The  functional  correctness  method  relies  heavily  Qn  a 
technique  for  verifying  that  a  WHILE  loop  computes  a  given  state 
to  state  function*  we  present  this  WHILE  loop  technique  as  a 
theorem  and  then  describe  the  oethod  for  general  programs* 

SfiiiliQQ:  The  domain  of  a  function  f  will  be  written  as 
0(f)*  The  notation  fog  will  be  used  to  represent  the 
composition  of  the  functions  g  and  f*  we  will  use  the  shorthand 
B*Q  for  the  WHILE  loop  wbilt  B  dfi  0  qg .  Finally*  in  several 
examples  we  will  use  the  notation  SUMa»b*c*d)  for  the  summation 
from  a=b  to  c  of  d* 

fttlioiiifiD-  The  loop  B#0  is  closed  for  a  function  f  if  and 
only  if  for  all  X  in  Off)*  B(X)  implies  EQJ(X)  is  in  D(f>* 
intuitively*  a  loop  is  closed  for  f  if  the  data  state  remains  in 
Off)  as  it  executes  fer  any  input  in  Off)* 

I&tficSf  1;  **  the  loop  8*0  is  closed  for  a  function  f,  then 
the  loop  computes  f  if  and  only  if*  for  all  X  in  Off) 

(2*1)  the  loop  terminates  when  executed  in  initial  state  X, 

(2.2)  B(X>  ->  f(X)  *  f ( Eq3 ( X ) ) *  and 

(2. 3)  ~B<X)  ->  f(X)  *  x* 

P £ggf :  first*  suppose  <2*D*  (2.2)*  and  (2* 3)  hold*  Let 
xtOT  be  any  element  of  Off)*  By  condition  (2*1)  the  loop  must 
produce  some  output  after  a  finite  number  of  iterations*  Let  n 
represent  this  number  of  Iterations*  and  let  XEn]  represent  the 
output  of  the  loop*  furthermore*  let  xE13*  xE23*  *••  xtn-1]  be 
the  intermediate  states  generated  by  the  loop*  i *e •  for  all  i 
satisfying  0  <*  i  <  n*  we  have  B(xCiJ)  I  xCialJ  *  CQ}(xCi])  and 
also  ~B(xEn})*  Condition  (2*2)  shows  ffxCOl)  *  f  C  X  C  1 3  >  *  ••*  * 
f(xCnl)*  Condition  (2*3)  Indicates  ffxEnl)  *  xCnl.  Thus  fCxCOl) 
*  XEn]  and  the  loop  computes  f* 

Secondly*  suppose  the  Loop  computes  f*  This  fact  would  be 
contradicted  if  (2*1)  were  false*  Suppose  (2*2)  were  false*  i.e* 
there  exists  an  x  ir  Off)  for  which  B(X)  but  f(X)  <>  f([Q](X))* 
from  the  closure  requirement*  COD(X)  is  in  Off)  and  the  loop 
produces  f(EOlfx))  when  given  the  input  CODfX)*  But  this  implies 
the  loop  can  distinguish  between  the  cases  where  CQ3(x)  is  an 
input  and  the  case  where  CQlCx)  is  an  intermediate  result  from 
the  input  x#  However*  this  is  impossible  since  the  state 
describes  the  values  cf  all  program  variables*  finally*  if  (2*3) 
were  false*  there  would  exist  an  x  in  Off)  for  which  the  loop 
produces  x  as  an  output*  but  where  f(X)  <>  x*  Thus  the  loop  must 
not  compute  f* 

An  important  aspect  of  Theorem  1  is  the  absence  of  the  need 
for  an  inductive  assertion  or  loop  invariant*  Under  the 
conditions  of  the  theorem*  a  loop  can  be  proven  or  disproven 
directly  from  its  function  specification* 
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£l2fBi£  i*  Using  the  loop  P  and  function  f  of  Example  1f  we 

shall  show  P  computes  f •  0(f)  is  the  set  of  all  states 

satisfying  a  > 1  0*  Since  a  is  prevented  from  turning  negative  by 

the  loop  predicate*  the  loop  is  closed  for  f  and  Theorem  1  can  be 
applied*  The  termination  condition  (2*1)  is  valid  since  a  is 

decremented  in  the  loop  body  and  has  a  lower  bound  of  zero* 
Since  CQJ<<a*b>)  s  <a-1*  b*a>*  condition  (2*2)  is 
a  >  C  ->  f  (<a  *b> )  *  f(<a-1*b*a>) 


which  is 


a  >  C  ->  <0*b*a!>  =  <0*b*a*(a-1) 
which  can  be  shown  to  be  valid  using  the  identity 
Cond  ition  (2*3)  is 

a  =  C  ->  <0*b*a!>  *  <a,b> 
which  is  valid  using  the  definition  0!  s  1* 


!  > 

a! 


a* (a-1 ) ! • 


The  functional  correctness  procedure  is  used  to  verify  a 
program  correct  with  respect  to  a  function  specification*  Large 
programs  must  be  broken  down  into  subprograms  whose  intended 
functions  may  be  more  easily  derived  or  verified*  These  results 
are  then  used  to  show  the  program  as  a  whole  computes  its 
intended  function*  The  exact  procedure  used  to  divide  the 
program  into  subprograms  is  not  specified  in  the  functional 
correctness  theory*  In  the  interest  of  simplicity*  the  technique 
presented  here  is  based  on  prime  program  decomposi t i on  CLinger, 
Mills  %  Witt,  1979]*  That  is*  correctness  rules  will  be 
associated  with  each  prime  program  (or  e qu i va l ent  l y »  with  each 
statement  type)  in  the  source  language*  The  reader  should  keep 
in  mind,  however?  t**t  in  certain  c 1 r cumst antes *  other 
decomposition  strategies  May  lead  t0  more  efficient  proofs*  One 
such  circumstance  is  illustrated  in  Section  5* 

In  our  presentation  of  the  functional  correctness  procedure* 
we  will  consider  simple  Algol-like  programs  consisting  of 
assignment*  I F -THEN- E LSE *  WHILE  and  compound  statements*  Before 
the  correctness  technique  may  be  applied*  the  intended  function 
of  each  loop  in  the  program  must  be  known*  Furthermore*  it  is 
required  that  each  loop  be  closed  for  its  intended  function* 
These  intended  functicns  must  either  be  supplied  with  the  program 
or  some  heuristic  (not  discussed  here)  must  be  employed  by  the 
verifier  in  order  to  derive  a  suitable  intended  function  for  each 
loop*  This  need  for  intended  loop  functions  is  analogous  to  the 
need  for  sufficiently  strong  loop  invariants  in  an  inductive 
assertion  proof  of  correctness* 

In  order  to  prove  that  a  structured  statement  S  (i*e*  a 
while*  I F -THEN-ELSE *  cr  compound  statement)  computes  a  function 
f*  it  is  necessary  to  first  dtllxt  the  function(s)  computed  by 
the  component  s t a te me rt ( s) *  and  then  to  that  S  computes  f 

using  the  derived  sub f unc 1 1  on s •  Consequent l y *  the  function 
correctness  technique  will  be  described  by  a  set  of  function 
derivation  rules  and  a  set  of  function  verification  rules: 


Bul£2  *  Used  to  compute  ESI* 
01  :  $  =  v:*e 

1)  Return  i  v:*e3* 

02:  S  =  $1;s2 
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i>  fitrlHt  tsn 

2)  gerive  C$23 

3)  Return  C$23  o  C S 1 3 • 

03:  S  »  J1  B  |btO  SI  tl«C  S2  ii 

mint  csn 

*>  ftttixt  tS23 

3)  Return  (8->CSl3  I  TRUE->C$23>. 

04:  s  =  ibiie  B  da  si  ad 

1)  Let  f  be  the  intended  functio 
(either  given  or  derived) 

2>  mil*  that  *hii£  e  dfi  si  fid 
computes  f 
3)  Return  f* 


V£lil  X  Bulci  *  used  to  prove  S  computes  f* 


vl : 

s  = 

v :  =  e 

i) 

C S3 

2) 

Show  f ( X  )*Y  -> 

CS3 (X) 

V2: 

s  = 

S1;S2 

1) 

bid**  C  S3 

2) 

Show  f(X)=Y  -> 

CS3  (X) 

v3 : 

s  = 

it  b 

lt£Q 

SI  list  S2  ii 

1) 

Bscigs  C  S3 

2) 

Show  f(x)=Y  -> 

C$3 (X) 

V4  : 

s  = 

khllS 

B  si  2^ 

1) 

Cstixt  C  SI  3 

2) 

Apply  Theorem 

1. 

Before  considering  an  example  of  the  use  of  these  rules*  ve 
introduce  two  conventions  that  will  simplify  the  proofs  of  larger 
programs*  First*  we  allow  an  assignment  into  only  a  portion  of 
the  data  state  in  a  concurrent  assignment*  In  this  case  it  is 
understood  that  the  other  data  state  components  are  unmodified* 


1 :  I*  a  Program  has  variables  v1*v2*v3* 
of  assignments 


vl  :*  4;  v3  :  =  7 
performs  the  program  funct ion 

v1*v3  i*  4*7 
which  is  shorthand  for 

%1»v2*v3  :s  4  *  v2  *  7  • 


the  sequence 


Secondly*  if  a  function  description  is  followed  by  a  list  of 
of  variables  surrounded  by  f  characters*  then  the  function  is 
intended  to  describe  the  program's  effect  on  these  variables 
only*  Other  variables  are  considered  to  have  been  set  to  an 
undefined  or  unspecified  value* 

LfilClt  4;  1*  3  program  has  variables  v1*v?*v3  that  take  on 
values  from  d?*d2*d3,  respectively*  the  function  description 
f  *  (vl  >  0  •>  v2*v3  :*  v3*v2)  #v2*v3# 

is  equivalent  to 

( vl  >  0  ->  v1*v2*v3  :*  ?*v3*v?)» 

where  ?  represents  an  unspecified  value*  Note  that  in  a  sense* 
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functions  like  f  are  rot  data  state  to  data  state  functions;  more 
accurately  they  are  general  relations#  E#g#  in  the  example, 
<1,2*3>  maps  to  <1«3t2>  as  veil  as  <4,3,2>#  However,  we  adopt 
the  view  that  f  is  a  dl  i  d2  x  d3  to  d2  *  d3  mapping  and  in  this 
light,  f  is  a  functior.  We  call  Cv2,v3>  the  r^ngt  $ti  f<>r  f* 
written  RS(f)#  functions  not  using  the  *  notation  are  assumed  to 
have  the  entire  set  of  variables  as  their  range  set#  Similarly, 
if  the  variables  vr 1 , vr 2 , * • , v r k  are  the  necessary  inputs  to  a 
function  description  f,  we  say  that  l v r 1 , v r2 , # • • , v rk >  is  the 

dSSalQ  StI  for  **  written  OSCf)#  In  Example  5,  the  domain  set 
for  f  is  <v1,v2tv3>  which  happens  to  be  the  entire  set  of 
variables#  but  this  reed  not  be  the  case#  Note  that  some 

functions  (e.g,  constant  functions)  may  have  an  empty  domain  set. 
Note  that  the  existence  of  functions  with  domain  and  range 
sets  that  are  proper  subsets  of  the  entire  set  of  variables  has 
several  implications  for  the  Derive  Rules  given  previously.  In 
rule  D2,  we  require  that  DSf£S23)  C  RSICS13),  If  this  is  not  the 

case,  an  intended  function  has  been  given  with  too  small  a  range 

set.  The  resulting  domain  and  range  sets  are  given  by 

DS  ( CS 1 ; S23)  =  DS(CS13>  U  DSCCS23) 

R  S  CCS  1 ;  $23 )  *  RS(CS23>. 

In  rule  o3,  the  resulting  domain  and  range  sets  are 
OS  <  C i f  0  IhfQ  SI  tiifi  S2  Ii3)  * 

0$(Ce3)  U  DS(CS13)  U  DSCCS23) 

RSICif  8  Ih{Q  si  fiist  S2  113)  = 

RS (C$13)  n  RS<C$23) # 


E*£fBi£  5*  Consider  the  following  program 


Si) 

<n>*0  ->  s  :*  SUM  <  •  1  <  *  *n) ) 

1) 

a  :  *  1  ;  s  :  * 

0; 

S  2 ) 

l r >  =  1  ->  s  :  -  s 

♦  SUM ( 1 ,  a  ,  ■  ,  i  *  *  n)  ) 

2) 

M^il S  •  <  *  * 

dfi 

3) 

i  :*  0;  p 

:=  1; 

S3) 

(  n>  =  i  ->  p. 

1  :*  p*a* •  ( n-i ) , n) 

4) 

g hi  1,  i <n 

fifi 

5> 

i  :  -  i 

♦  1; 

6) 

f  :*  P 

•  a 

7) 

stf; 

S> 

s  :  -  s  ♦ 

p; 

9) 

a  :  «  a  ♦ 

1C) 

fifi* 

In  this  example,  the  functions  labelled  Sit  S2  and  S3  are  the 
intended  functions  for  the  program,  outer  WHILE  loop  and  inner 
WHILE  loop  respectively.  We  use  the  notation  Fn-m  as  the  derived 
function  for  lines  n  thru  m  of  the  program. 

Step  1)  “  Using  Dl  and  D2  we  get 

F5-6  =  itp  :*  i ♦ 1  ,p*a  • 

Step  2)  -  We  must  verify  the  inner  loop  computes  its  intended 
function.  The  closure  condition  and  termination  condition 
are  easily  verified.  The  other  conditions  are 

i<n  ->  <p* a* * (n- i ) , n>  *  < p*a* a* * ( n- i -1 ) , n> 
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and 

i=n  ->  <p*  a#  *  t  n*  i  )  *  n>  *  <pti> 

which  are  clearly  true. 

Step  3)  -  Using  D1  and  02  we  derive  F3-7  as  follows: 
f  3-7  «  (n>*i  ->  pfi  :*  p*«  a  a  ( n-  i )  tn )  o  F3-3 

=  (n  >  =  i  ->  p ,  i  :*  p*a a*  <n- i ) #n )  o  i ,p  :*  0*1 
*  (n >  =  C  ->  p*i  :r  a*an*n). 

Step  A)  -  Again  with  Dl  and  D2  we  derive  F3-9: 
f  3-9  =  F8-9  o  <n>~0  ->  p,i  :=  a**n,n) 

2  s*a  :*  s*p*a*1  o  ( n>  =  0  ->  p» i  a**n,n) 

=  (n>*C  ->  p*i*s*a  :*  a**n»nfs*a**nfi*1 )  . 

Step  5)  -  Now  we  are  ready  to  show  the  outer  loop  computes  its 
intended  function.  Again  the  closure  and  termination  cond¬ 
itions  are  easily  shown*  The  remaining  conditions  are 

a<*m  ->  s* $UM( i 9a*mt i**n)  -  s*a* *n*SUM ( t » a^ 1 »m «  i * *n ) 

and 

a>m  ->  s ♦ SUM (i ,a*m,i**n)  -  s, 

both  of  which  are  true* 

Step  6)  -  We  now  derive  FI-10.  Applying  D 2  we  get 

FI-10  *  <n>*1  ->  s  s  ♦  sum( i « a *m 9 1 ** n) ) M s*  o  fl-1 

*  ( n > r 1  ->  s  : 2  s  ♦  su»(i»a»afi**n))lsl  o  a«s  : =  1#0 

2  <n>*1  ->  s  ;*  sum ( i , 1 , m ,  i  **n )  ) #s#  • 

Step  7)  -  Since  the  intended  program  function  agrees  with 
FI-10*  we  conclude  the  program  computes  its  intended 
function. 

The  functional  correctness  technique  was  developed  by 
CM i l  Is  *  1972  *  19751  .  This  verification  method  is  compared  and 

contrasted  with  the  inductive  assertion  technique  in  CBasili  & 

Noonan,  19781.  The  presentation  here  emphasizes  the  distinction 
between  function  derivation  and  function  verification  in  the 
correctness  procedure. 

In  CBasu  *  Misra*  19751,  the  authors  prove  a  result  similar 
to  Theorem  1  for  the  case  where  the  loop  contains  local 
variables. 

The  closure  requirement  of  Theorem  1  has  recieved 
considerable  attention.  Several  classes  of  loops  which  can  be 
proved  without  the  strict  closure  restriction  are  discussed  in 
CMisra*  1978;  Basu,  19801*  Results  in  Cwegbreit,  19771,  however, 
indicate  that,  in  general,  the  problem  of  "generalising"  a  loop 
specification  in  order  to  satisfy  the  closure  requirement  is 
NP-c  omp l e  te • 
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3*  The  Loop  Invariant  f(XC)  =  f (X ) 


An  important  implication  of  Theorem  1  is  that  a  loop  which 
computes  a  function  must  maintain  a  particular  property  of  the 

data  state  across  iterations*  Specifically,  after  each 

iteration,  the  function  value  of  the  current  data  state  must  be 
the  same  as  the  function  value  of  the  original  input*  In  this 

section  we  discuss  and  expand  on  this  characteristic  of  loops 

computing  functions  f  cr  which  they  are  closed* 

A  1222  iSSfiliiSO  for  the  loop  B* Q  is  a  boolean-valued 
expression  which  yields  the  value  TRUE  just  prior  to  each 
evaluation  of  the  precicate  B*  In  general,  a  loop  assertion  I  is 
a  function  of  the  current  values  of  the  program  variables  (which 
we  wilt  denote  by  x) «  as  well  as  the  initial  values  of  the 
program  variables  (cenoted  by  X0)*  To  emphasize  these 
dependencies  we  write  I(X0*X)  to  represent  the  loop  assertion  I* 
Let  a  be  a  set  of  data  states*  A  Icce  iCXSCllOl  for 
Oyer  a  set  0  is  a  boolean  valued  expression  I(X0?X)  which 
satisfies  the  following  conditions  for  all  X0,X  in  D 

(3.1)  I  ( X  0  , XQ) 

( 3 • Z )  I(XG,X)  &  e ( X )  ->  I ( XO  t  COT ( X) )  g  TqT(X)  in  D. 

Thus,  if  I  (XQ, X )  is  a  loop  invariant  for  B*G  over  o*  then  2(x0«X) 
is  a  loop  assertior  under  the  assumption  the  loop  begins 
execution  in  a  data  state  in  D*  Furthermore,  the  validity  0f 
this  fact  can  be  demonstrated  by  an  inductive  argument  based  on 
the  number  of  loop  iterations* 

Loop  assertions  are  of  interest  because  they  can  be  used  to 
establish  theorems  which  are  valid  when  (and  if)  the  execution  of 
the  looo  terminates.  Specifically,  any  assertion  which  can  be 
inferred  f rom 

(3.3)  1 ( X  0 , X)  g  ~B (x) 

will  be  valid  immediately  following  the  loop. 

It  should  be  clear  that  for  any  loop  B*Q,  there  may  be  an 
arbitrary  number  of  valid  loop  assertions.  Indeed,  the  predicate 
TRUE  is  a  trivial  loop  assertion  for  any  WHILE  loop*  However, 
the  stronger  (more  restrictive)  the  loop  assertion,  the  more  one 
can  conclude  from  condition  (3.3>*  For  a  given  state  to  state 
function  f,  we  say  that  I(xO,X)  is  an  f-adj gufcij  i22E  iSSt£l22Q 
iff  I<x0,x)  is  a  loop  assertion  and  J(X0,X>  can  be  used  in 
verifying  that  the  l o cp  computes  the  function  f.  wore  precisely, 
if  f  is  a  function,  the  condition  for  a  loop  assertion  I(xO,X) 
being  an  f-adequate  l  cop  assertion  is 

(3.4)  I (X  0 , X)  g  "B  <  X )  ->  Xrf(XO) 

for  all  XO  in  0(f).  A  loop  invariant  I(X0,X>  over  some  set 
containing  0(f)  for  which  condition  (3.4)  holds  is  an  tzlitW&tt 

1222  ioxaoim* 

6:  Let  P  denote  the  program 

atils  osi  *  iq  <0,1>  $jg 
if  a  >  0  t  h$n 
a  :=  a  -  ? 

£iSt  a  :*  a  ♦  2  M 
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22* 

Consider  the  following  predicates 
I1(aC,a)  iff  TRUE 
12(a0,a)  iff  abs(a)  <*  abs(aO) 

I3(a0,a)  iff  ocd(a)  *  odd(aO) 

1 4  (aO  9a )  iff  odd(a)  *  odd(aO)  6  abs(a)  <=  abs(a0> 

iSfaOta)  iff  ocd(a)  =  odd(aO)  I  (a  =3  &  a0=2 ) 

where  ab s  denotes  an  absolute  value  function,  and  odd  returns  1 
if  its  argument  is  ode  and  0  otherwise#  Each  of  the  5  predicates 
is  a  loop  assertion#  Let  D  be  the  set  of  all  possible  data 
states  for  P  (i.e.  0  *  <<a>  I  a  i s  an  integer))#  Let  f  = 

{ ( < a> t < odd( a ) > ) > *  ano  consider  l3#  Since  a  in  C0*1>  implies 
a=odd(a),  *e  can  infer  a=odd(aQ)  from  l3(a0,a)  £  a  in  C0»D# 
Thus  1 3  is  an  f-adequate  loop  assertion#  Similarly,  14  and  15 
are  f-adequate  loop  assertions,  but  neither  11  nor  12  is 
restrictive  enough  to  be  f-adequate#  Predicates  13  and  14  are 
loop  invariants  over  C;  however,  since  15  fails  (3*2)  it  is  not  a 
loop  invariant  (a=3,aC*2  is  a  counter  example)# 

Zfc£2££B  2-  If  is  closed  for  f  and  B*Q  computes  f  then 

f(xO)  =  f (x)  is  an  f-adequate  loop  invariant  over  0(f),  and 
furthermore,  it  is  the  weakest  such  loop  invariant  in  the  sense 
that  if  KxOfX)  is  any  f-adequate  loop  invariant  over  D(f), 
1  <  X0  ,X )  ->  f<X)M(xO>  for  all  X,X0  in  0(f). 

First  we  show  that  f(X)*f(xC>  is  a  loop  invariant 
over  ~D(f).  Condition  (3#1)  is  f(xO)M(XO>#  From  Theorem  1,  for 
all  X  in  0(f), 

B(X  )  ->  f (X)  *  f (CG)  (X)). 

Thus  for  all  X,XG  in  0(f), 

B(X)  S  f(X0)-f<X)  ->  f (X0)*f CX)*f  (CQ)(X))  ->  f(X0)«f  (CQ3(X)). 
Adding  the  closure  condition  B(X)  ->  Cq3(X)  in  D(f)  yields 
condition  (3.2).  Thus  f(x)*f(xO>  is  a  loop  invariant  over  0(f). 
Again  from  Theorem  1,  for  all  X  in  0(f), 

* B  (  X )  ->  f ( X ) s X  . 

Thus  for  all  X0  in  0(f), 

1  (  X  )sf  <X0>  £  ~8  (X  )  ->  fCX)-f(XO)  $  f(X)-X  ->  f  (X0)  =  X 
which  shows  f(x)3f(x0)  is  f-adequate#  Let  1(X0,X)  be  any 
f-adequate  loop  invariant  for  8*0  over  0(f),  and  let  Z0,Z  be 
elements  of  0(f)  such  that  1(20, Z)#  Since  B*0  computes  f  and  l 
is  in  D(f),  there  exists  some  sequence  ZC13,Zt23,  •••  ,ZCn3 
(possibly  with  n=1)  where  Zt1)=Z,  ZCnJ=f(Z),  with  B<ZCU>  4 
ZCi*13  5  CQXZCi  J>  for  all  i  satisfying  1  <*  i  <  n#  By  condition 
(3.2)  we  have  I<Z0,ZCn>,  1(20,2123),  ...  ,I(Z0,ZtN3);  thus 
I(Z0,f(7)>  and  Since  ZO  is  in  0(f)  and  I(x0,x)  is 

f-adequa  t e, 

I ( Z0, f ( Z) )  l  "B(f <Z>)  ->  f(Z0)*f(Z) 
from  condition  (3#4)#  Thus  for  all  Z0,Z  in  0(f), 

I ( Z0 , Z  )  ->  f (Z0)  *  f (Z). 

£*£VCi£  i  lifiQll  DWttfl :  In  this  example,  13  is  of  the  form 
f(x)=f(x0)#  13  is  clearly  weaker  than  the  other  f-adequate  loop 

invariant  14#  It  is  worth  noting  that  15  is  weaker  than  13,  but 
15  is  not  a  loop  invariant,  and  12  is  weaker  than  13,  but  12  is 
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not  f~adeQuate.  This  situation  is  illustrated  in  Figure  1*  The 
set  of  pairs  <<aO#s>)  is  partitioned  into  2  sets  with  a  not  in 
COfl)  on  the  left  and  a  in  <0#1>  on  the  right*  Note  that  14  (or 
any  other  f-adequate  loop  invariant  for  that  natter)  is  a  subset 
of  13*  Furthermore#  each  f-adequate  loop  assertion  is  identical 
where  a  is  in  10*1).  This  shaded  region  is  precisely  the  set  f. 


a  t  {0,1} 


a  *  {0,1} 


Figure  1. 


Consider  the  problem  of  using  Hoate's  iteration  a*iom 
(3.5)  P  &  8  { Q )  P  ->  P,CB*Q>  P  & 
to  prove  the  loop  B*Q  computes  a  function  f  for  which  it  is 
closed.  In  our  terminology#  P  must  be  a  loop  invariant  over  some 
set  containing  0(f)  (otherwise  X<f (X0)  for  all  X0  in  D(f)  cannot 
be  inferred).  However#  using  a  loop  invariant  over  a  proper 
superset  of  0(f)  is  in  general  unnecessary,  unless  one  is  trying 
to  show  the  loop  computes  some  proper  superset  of  f.  If  we 
choose  to  use  a  loop  invariant  P  over  exactly  0(f)#  Theorem  2 
tells  us  that  f(x)*f(x0)  is  the  weakest  invariant  that  will  do 
the  iob.  In  a  sense*  the  weaker  an  invariant  is#  the  easier  it 
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is  to  verify  that  it  is  indeed  a  loop  invariant  (i.e.  that  the 
antecedant  to  13.5)  is  true)*  because  it  says  less  (is  less 
restrictive*  is  satisfied  by  sore  data  states*  etc.)  than  other 
loop  invariants.  Along  these  lines*  one  night  conclude  that  if  a 
loop  is  closed  for  a  function  f,  Theorem  2  gives  a  formula  for 
the  "easiest"  loop  invariant  over  Dlf)  that  can  be  used  to  verify 
the  loop  computes  f  • 

Let  us  again  consider  loop  invariants  and  functions  as  sets 
of  ordered  pairs  of  data  states.  Let  8*Q  compute  f  and  let 
I(xQvX)  be  an  f-adequate  loop  invariant*  We  have  seen  that  in 
this  case 

{ (X  0*  X  )  |  I(X  0*  X  )  %  ~B(X>  &  XQ  in  D<f>> 

is  precisely  f.  That  is*  f  must  be  the  portion  of  the  set 
represented  by  I(X0fX)  obtained  by  restricting  the  domain  to  D(f) 
and  discarding  members  whose  second  component  cause  B  to  evaluate 
to  TRUE.  Can  the  set  represented  by  I(X0*X)  be  determined  from 
f?  No*  since  in  general*  there  are  many  inadequate  invariants 
over  0(f)  and  the  validity  of  some  will  depend  on  the  details  of 
B  and  Q  (e.g.  14  in  Eiample  6>.  However*  Theorem  2  gives  us  a 
technique  for  contructing  the  only  f-adequate  invariant  over  D(f> 
that  will  be  valid  for  any  9  and  Q»  provided  B*Q  computes  f  and 
is  closed  for  f.  Specifically*  this  invariant  couples  each 
element  of  0(f)  with  its  level  set  in  f.  Put  another  way  -  all 
f-adequate  loop  invariants  over  0<f)  describe  ghat  the  loop  does 
(i.e.  they  can  be  usee  to  show  the  loop  computes  f)*  and  some  may 
also  contain  information  about  hog  the  final  result  is  achieved. 
That  is*  one  might  be  able  to  use  an  f-adequate  loop  invariant  to 
make  a  statement  about  the  intermediate  states  generated  by  the 
loop  on  some  inputs.  The  intermediate  states  "predicted**  by  the 
weakest  invariant  f(x)*f(x0)  is  the  set  of  all  intermediate 
states  that  could  possibly  be  generated  by  any  loop  B*Q  that 
computes  tne  function  correctly.  Thus*  the  invariant  f(X)*f(xO) 
can  be  thought  of  as  occupying  a  unique  position  in  the  spectrum 
of  all  possible  loop  invariants:  it  is  strong  enough  to  describe 
the  net  effect  of  the  loop  on  the  input  set  0(f)  and  yet  is 
sufficiently  weak  that  it  offers  no  hint  about  the  method  used  to 
ac  h  i  eve  the  effect. 

Z:  Consider  the  following  program 
wh  i  i  £  a  >  0  gfi 
a  :  =  a  -  1 ; 
c  :  =  c  ♦  b 
gg. 

This  loop  computes  the  function 

f  r  ( a>  =0  ->  a*b*c  : =  0*b*c*a*b). 

From  Theorem  2*  we  knew  that 

K<a0*b0*c0>*<a*b*c>)  iff  <0*b0*  c  O  a0*b0>  s<  0  *  b  *  c  ea«b  > 
is  the  weakest  f-adequate  invariant  over  0 ( f ) *C <a * b * c>  I  a>sQ). 
Consider  the  sample  input  <4*10*7>.  Our  loop  will  produce  the 
series  of  states  <4f1Q*7>*  <3*10*17>,  <2*10*27>*  <1,10,37>* 

<0*1C*47>.  Of  cotrse,  our  invariant  agrees  with  these 
intermediate  states  (i.e.  I ( <4  *  1 0, 7> *<4 *  10  * 7>) * 

X(<4*10#7>*<3, 1 0  *  1 7  > ) *  ###  *  I(<4*l0t 7>*<0*10,47>>) *  but  it  also 


- ~ — **  -- 
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agrees  with  <6*1Q*-13>*  We  conclude  then*  that  it  is  possible 
for  some  loop  which  computes  f  to  produce  an  intermediate  state 
<6,1C#-13>  while  mapp  ing  <4*10*7>  to  <0#10*47>*  Furthermore,  no 
loop  which  computes  f  could  produce  <6*10*-12>  as  an  intermediate 
state  from  the  input  <4*10*7>  since  the  Invariant  would  be 
violated* 

To  emphasise  this  pointff  we  define  an  f-adequate  invariant 
1(X0»X)  over  0(f)  for  B*Q  to  be  an  joifilOii  iQXfttliQt  if  I(x0*x> 
implies  that  B*Q  will  generate  x  as  an  intermediate  state  when 
mapping  xC  to  f(x0>.  Intuitively*  an  internal  Invariant  captures 
what  the  loop  does  as  well  as  a  great  deal  of  how  the  loop  works* 
In  our  exa*pl*9  b*tO  &  c*c0*b* <aO-a )  &  0<*a<*a0  is  an  internal 
invariant*  but  I (<a0« toO* c0> i<a»b» c>)  as  defined  above  is  not  (the 
state  <6,10t-13>  on  input  <4*10*7>  is  a  counter  example)*  It 
should  be  clear  that  if  f  has  an  Infinite  domain,  no  loop  exists 
for  which  f <X)*f <X0)  is  an  internal  invariant*  However*  if  we 
consider  non-de t e r m i r is t i c  loops  and  weaken  the  definition  of  an 
internal  invariant  to  one  where  I(X0«X)  implies  X  mgy  be 
generated  by  B*Q  when  mapping  X0  to  f ( x0) *  such  a  loop  can  always 
be  found.  This  loop  would  non-de termi n ist i ca l ly  switch  states  so 
as  to  remain  in  the  same  level  set  of  f*  Our  example  program 
could  be  modified  in  such  a  manner  as  follows: 

stile  •  >  o  dfi 

t  :*  ••some  integer  value  greater  than  or  eoual 
to  zero"; 

c  :  -  c  ♦  b  •  <a-t); 
a  :  *  t 
22 

and  corresponds  to  a  ••blind  search”  implementation  of  the 
function* 

In  Tbasu  &  Mira*  19753*  the  authors  emphasize  the 
difference  between  locp  invariants  and  loop  assertions*  The  fact 
that  f (X)  =  f ( x 0 )  is  an  f-adequate  loop  invariant  appears  in 
CBasu  *  Misra*  1975;  Linger*  Hills  5  wilt*  19793.  The 

independence  of  this  loop  invariant  from  the  c ha ra c t e ri s t i c s  of 
the  loop  body  is  discussed  in  CBasu  t  Misra*  19753* 


i 

i 
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4*  Comparison  of  the  Hoare  and  Wills  looo  Verification  Rules 


An  alternative  to  using  Theorem  1  in  showing  a  loop  computes 
a  function  is  to  appix  Hoar#'*  iMoutic  verification  technique* 
That  is,  one  could  verify  P  <B*Q)  R  where 
P  iff  X  *X  0  in  D  ( f  )  ,  and 
*  i f  f  x*f <1 10) 

by  demonstra t ing  the  following  for  tose  predicate  I: 

(At)  P->  I 

(A 2)  B  R  I  <G>  1 

<  A3)  ~B  R  I  •>  R  • 

Strictly  speaking,  conditions  Al  thru  A3  show  partial 
correctness;  to  show  total  correctness,  one  oust  also  prove 
<A4>  B*Q  terminates  for  any  input  state  satisfying  P. 

Note  that  if  8*0  is  closed  for  f,  a  predicate  1  that  satisfies  Al 
and  A 2  is  a  loop  invariant  over  0(f)  (or  some  superset  thereof)* 
We  now  wish  to  compare  these  verification  conditions  with 
the  functional  verification  conditions*  Recalling  from  Theorem 
1,  if  B*Q  is  closed  for  f,  the  functional  verification  rules  are: 
( F 1 )  8+Q  terminates  for  any  input  state  in  D(f> 

<F2)  d(X)  ->  f(x)  *  f(CQlCX))  for  all  X  in  0(f) 

( F  3 )  ~B  ( X )  ->  f  (  A )  *  x  for  all  X  in  0(f). 

in  the  following  discussion  we  adopt  the  convention  that  if  f  is 
a  function  and  X  is  net  in  0(f),  then  f(X)*Z  is  false  for  any  Z* 

l!2£fi££l  I:  Let  B*Q  be  closed  for  f#  if  f(x)*f(xO)  is  used 
as  the  Toop  invariant  1  in  A1-A3,  then  Al  R  A2  R  A3  R  A4  iff  FT  4 
F2  R  F3*  That  is,  the  functional  verification  conditions  F1-F3 
are  equivalent  to  the  special  case  of  the  axiomatic  verification 
conditions  A1-A4  which  results  from  using  f(X)*f(X0)  as  the  loop 
invariant  1*  In  particular,  it  I  iff  f(X)*f(xO)  in  the  axiomatic 
rules,  then 

Al  is  true, 

A?  iff  F2  provided  x  in  0(f)  &  0(X>  •>  x  in  0<CQ3>, 

A3  iff  F3, 

A  4  iff  f 1  . 

we  begin  ty  noting  that  the  termination  conditions  A4 
and  FI  are  identical,  thus  A4  iff  FI*  Secondly  Al  is 
X=X0  in  0(f)  ->  f(X>«f(x0) 

which  is  clearly  true  for  any  f*  Combining  with  our  first  result 
yields  Al  &  A4  iff  M*  Condition  A3  can  be  rewritten  as 
•«(x)  6  f (X )* f(x0)  ->  X*f  (X0) 

which  is  trivially  true  for  any  X,X0  outside  0(f)*  Thus  A3  may 
be  rewritten  as 

(A3')  For  all  X,XQ  in  0(f),  ~B  <  X )  &  f(X)*f(XO)  ->  X«f(X0). 
Note  that  A3'  ->  F3  by  considering  the  case  where  x*x0* 

Furthermore,  by  adding  f(X)«f(x0)  to  the  antecedant  of  F3  we  get 
F  3  ->  ("B ( X )  &  f(X)sf(XQ)  ->  f(X)*X  &  f(X)«f(X0)  ->  f(X0>*X), 
thus  F  3  ->  A3'*  Now  we  have  A3  iff  A3'  iff  F3  and  adding  this  to 
our  result  above  we  get  Al  I  A3  R  A4  iff  Fl  t  F3*  we  next  prove 
a2  &  A 4  iff  f 2  R  FI*  This  combined  with  the  above  equivalence 
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yields  the  desired  result  AM  AM  AS  S  A  4  iff  M  t  F2  %  F  3  • 
Mote  that  if  there  exists  and  X  in  Dlf>  such  that  B(X>  but  CqJ(x> 
is  not  defined#  then  tne  loop  itself  will  be  undefined  for  Xv 
both  A 4  ana  FI  will  be  false  and  A2  t  A 4  iff  F2  t  FI.  Me  now 
consider  the  other  case  where  for  all  X  in  D(f)t  B(X)  ->  X  in 
D  ( C  Q  ] )  •  In  this  situation  we  will  show  A?  iff  F£;  combining  with 
A4  iff  FI  yields  A  2  t  A4  iff  F2  &  Fl  •  Rule  A?  nay  be  rewritten 
as 

B  ( X  )  &  fix)  *  f  (X0>  { 0  >  fix)  *  f<X0> 
which  aqam  is  trivially  true  if  x  or  xC  is  outside  D(f);  thus  A2 
is  equivalent  to 

For  all  X  #  XO  in  0<f)t  S(X)  I  f(X)«f(XQ)  <0>  f(X)»f(X0). 
Since  Q  terminates  for  any  input  X  in  D(f)  such  that  B(X)  by 
hypo  this ist  this  may  be  transformed  to 

<A2')  For  all  X  t  xO  in  D(f),  0<X>  I  f(X)*f(X0>  ->  f ( C Bl ( X) ) « f ( X 0) • 
As  before*  we  can  show  A 2'->F2  by  considering  the  case  where 
x*x0#  and  F2->a2*  by  adding  f(x)«f(x0)  to  the  antecedent  of  F2, 
Thus  A2  iff  A?'  iff  F2  which  implies  A2  iff  F2.  This  completes 
the  proo f  • 

The  purpose  of  Theorem  3  is  to  allow  us  to  view  the 
functional  verification  conditions  as  verification  conditions  in 
an  inductive  assertior  proof*  Mot  tu r p r i s i ng ly #  both  techniques 
have  identical  termination  requi r ement s •  If  the  termination 
condition  is  met*  *2  amounts  to  a  proof  that  f(X)*f(X0>  i$  a  loop 
invariant*  Condition  F3  amounts  to  a  "Rule  of  Consequenc e" • 
testing  that  the  desired  result  can  be  implied  from  the  loop 
invariant  f(x)*f<x0)  and  the  negation  of  the  predicate  B* 
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5.  buogoal  induction  and  functional  Correctness 


Subgoal  induction  is  a  verification  technique  due  to  [Morris 
t  wegbreit*  19773*  In  this  section  we  compare  subgoal  induction 
to  Mills'  functional  correctness  approach* 

Me  first  note  that  subgoal  induction  can  be  viewed  as  a 
gene  ra l i *a t ion  of  the  functional  approach  presented  here  in  that 
subgoal  induction  can  be  used  to  prove  a  program  correct  with 
respect  to  a  general  input~Output  relation*  A  consequence  of 
this  generality*  however*  is  that  the  subgoal  induction 
verification  conditions  are  sufficient  but  not  necessary  for 
correctness;  that  is*  in  general,  no  conclusion  can  be  drawn  if 
the  subgoal  induction  verification  conditions  are  invalid* 
provided  the  closure  requirement  is  satisfied*  the  functional 
verification  conditions  (as  well  as  the  subgoal  induction 
verification  conditions  when  applied  to  functional 
specifications)  are  sufficient  and  necessary  conditions  for 
correctness*  Results  in  [Misra*  19773  suggest  that  it  is  not 
possible  to  obtain  necessary  verification  conditions  for  general 
input-output  relations* 

In  order  to  ncre  precisely  compare  the  two  techniques*  we 
consider  the  flow  chart  program  in  Figure  2  taken  from  [Morris  t 
wegbreit  *  19773* 


Figure  2. 
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In  the  figure*  A*6*C*C  are  points  of  control  in  the  flow  charts  P 
is  a  predicate  and  Q*R  and  S  are  function  nodes*  Note  that  this 
flow  chart  program  amounts  to  a  WHILE  loop  surrounded  by  pre  and 
post  processing*  Our  goal  is  to  prove  the  program  computes  a 
function  T*  Norris  &  Wegbreit  point  out  that  subgoal  induction 
uses  an  induction  on  the  B  to  0  path  of  the  flow  chart;  that  is9 
one  selects  some  relation  v9  inductively  shows  it  holds  for  ell  6 
to  0  path$9  and  then  uses  V  to  show  T  is  computed  by  all  A  to  0 
paths*  In  our  illustration*  since  T  is  a  function9  it  will  be 
required  that  V  itself  be  a  function*  Once  V  has  been  selected* 
the  verification  conditions  are 
(SI >  ~P(X)  ->  V (X  )  *  s  t X) 

(S2>  Pit)  ->  V  (  R  (  X) )  «  V(X) 

<S3)  T ( X )  *  VlGlX  )). 

Note  that  Si  and  S2  test  the  validity  of  V;  S3  checks  that  V  can 
be  used  to  show  T* 

The  functional  verification  theory  presented  here  is  similar 
with  the  exception  that  the  function  S  is  not  included  in  the 
induction  path*  we  select  some  function  f  and  show  it  holds  for 
all  0  to  C  paths  (i*e*  we  show  the  WHILE  loop  computes  f)  and 
then  use  f  to  show  T  is  computed  by  all  A  to  0  paths*  Once  f  has 
been  selected*  the  verification  conditions  are 
(ft)  ~P(x>  ->  f(X)*x 
(  f  2  )  Pit )  ->  f  (  R  (  X ) )  *  fix) 

( f 3 )  T ( X )  *  S(f (Q  IX)))  . 

Note  that  both  techniques  require  the  invent  ion  of  an 
intermediate  hypothesis  which  must  be  verified  in  a  "subproof  •** 
This  hypothesis  is  then  used  to  show  the  program  computes  T*  The 
function  S  in  the  flow  chart  program  is  absorbed  into  the 
intermediate  hypothesis  i t>  the  subgoal  induction  case;  it  is 
separate  from  the  intermediate  hypothesis  in  the  functional  case* 
Indeed*  the  two  interaediate  hypotheses  are  related  by 
V  -  S  c  f  • 

If  S  is  a  null  operation  (identity  function)*  the 
intermediate  hypotheses  and  verification  conditions  of  the  two 
techniques  are  identical*  A  difference  between  the  two 
techniques*  however*  can  be  seen  by  examining  the  case  where  Q  is 
a  null  operation*  if  the  loop  is  closed  for  T*  subgoal  induction 
enjoys  an  advantage  since  T  can  be  used  as  the  intermediate 
hypothesis*  That  is*  the  subgoal  induction  verification 
conditions  are  simply 

(SI")  "Pit)  ->  SIX)  *  Tlx) 

<  $2  ")  P(X)  ->  T  (A  (X)  )  *  TU)  • 

In  the  functional  case*  one  must  still  derive  an  hypothesis 
for  the  loop  function  f*  A  heuristic  which  can  be  applied  here 
is  to  restrict  one's  attention  to  functions  which  are  subsets  of 
$**-1  o  T*  However*  it  is  worth  emphasizing  that  this  rule  need 
not  completely  specify  f  since*  in  general*  o  T  is  not  a 

function  relation*  Once  f  has  been  selected*  the  verification 
cond it  ions  are 

<M">  "Pit)  ->  f(X)*X 
( f 2 ")  P(X)  ->  f(R(X))»f(X) 

( f 3")  T(X)  «  Slf(X))* 

The  difference  between  the  two  techniques  in  this  case  i$ 
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due  to  the  prime  prcgrem  decomposition  nature  of  the  functional 
correctness  algorithm  described  in  section  2.  A  sore  efficient 
proof  is  realised  by  treating  the  loop  and  the  function  S  as  a 
ah  o l e •  Accordingly,  correctness  rules  for  this  prograa  fora 
might  be  incorporated  into  the  prime  prograa  functional 
correctness  method  described  earlier.  The  validity  of  these 
rules  can  be  demonstrated  in  a  manner  quite  similar  to  the  proof 
of  Theorem  1. 

Effttfilt  8:  **  wish  to  show  the  prograa 
xtiis  Ofii  «  is  <0,1,2,3>  dB 

ii  ■  <  o  ihto  *  :*  *  ♦  4 

tilt  »:*«•*  !i 
fid; 

ii  ■  *  1  lists  ■  :  *  *  ~  2  ti 

computes  the  function  T«< ( <*>,<odd( * ) > ) >•  The  subgoal  induction 
verification  conditions  are 

«  in  <0,1,2. 2>  ->  $<x>  *  odd<«>,  and 
*  “in  <0,1,2, 3)  * >  odd(R(x>>  »  odd(x),  where 

SI*)  *  if  x  >  1  then  x-2  else  x,  and 

R(x)  *  if  x  <  0  then  x^4  else  x-4. 

Both  these  conditions  are  s t ra igh t f o r w a rd •  how  let  ut  consider 
the  prime  program  functional  case.  Suppose  we  are  given  (or  may 
derive)  the  intended  loop  function 

f  *  <  <<xQ> ,<*>>  |  x  in  <0.1,2, 3)  I  x  mod  4  *  x0  mod  43# 

be  can  verify  that  the  loop  computes  f  by  deaonst  rat  ing  M*  and 

F2~.  Condition  f3~  uses  f  to  complete  the  proofm 

The  difficulty  with  splitting  up  the  program  in  this  example 
is  that  it  requires  the  verifier  to  Mdig  out"  unnecessary  details 
concerning  the  effect  of  the  loop#  One  need  not  determine 
explicitly  the  function  computed  by  the  loop  in  order  to  prove 
the  program  correct.  The  only  important  loop  effect  (as  far  as 
the  correctness  of  the  program  is  concerned)  is  x  in  (0.1. 2, 3) 
and  odd(x)  *  odd(xO).  In  this  example,  treating  the  program  as  a 
whole  appears  superior  since  it  only  tests  for  the  essential 
ch a r ac te r  i  s t i c s  of  the  program  components. 

It  is  worth  observing  that  an  axiomatic  proof  of  a  program 
of  this  form  could  be  accomplished  by  using  the  loop  invariant 
T(x)  *  t(*0).  The  verification  conditions  in  this  case  would  be 
equivalent  to  the  subgoai  induction  verification  conditions. 
Note  that,  In  general  (as  in  our  example),  T(X)  *  T<x0)  is  too 

weak  an  invariant  to  be  inadequate  for  the  intended  loop  function 
f  • 
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6*  Initialised  loops 


The  precemding  section  indicates  that  it  is  occasionally 
advantageous  to  consider  a  program  as  a  whole  rather  than  to 
consider  its  prime  pregrams  individually.  In  this  section  we 
attempt  to  apply  the  same  philosophy  to  the  initialized  loop 
program  form* 

We  will  again  consider  the  program  in  Figure  2  with  the 
unde rs tending  that  S  is  a  null  operation*  we  want  to  prove  that 
the  program  computes  a  function  T,  1*e*  that  T  holds  for  all  A  to 
C  paths*  we  have  seen  that  prime  program  functional  correctness 
involves  an  induction  on  the  8  to  C  program  path  using  an 
intermediate  hypothesis  f*  An  inductive  assertion  proof  would 
involve  an  induction  on  the  A  to  8  path  using  some  loop  invariant 
l(xO,x)*  This  invariant  differs  from  those  discussed  previously 
in  that  it  takes  into  account  the  in i t  i at i za t ion  for  the  loop* 
In  this  section  we  discuss  briefly  the  difficulty  of  synthesizing 
the  intermediate  hypotheses  f  and  I* 

In  order  for  the  program  to  compute  T9  we  must  have 
q(x)*q(y)  ->  T(x)rT<Y).  Consequent ly t  the  relation  represented 
by  T  o  <Q**-1>  i$  a  function  and  is  a  candidate  for  the 
intermediate  hypothesis  f*  Unf or  tuna t e  ly «  the  domain  of  this 
function  is  the  image  of  d(T>  through  Qv  and  since  the  purpose  of 
the  ini  t  ializat  i0n  is  often  to  provide  a  specific  ••starting 
point"  for  the  loop*  the  loop  will  seldom  be  closed  for  this 
function.  Thus  the  problem  of  finding  an  appropriate  f  can  be 
thought  of  as  one  of  generalizing  T  o  (Q+*-1)» 

2-  we  wart  to  show  the  program 
s  :=  0;  i  :=  0; 

Mbiii1  <  "  da 
i  :«  i  ♦  1; 
s  :*  s  ♦  il<] 
fid 

computes  s  : sSl)W  <  k  *  1  *  n*a  Ck  3  >  •  If  0  represents  the  function 

performed  oy  the  in i t  ial i zat 1  on  *  T  o  is 

(s*0*i*0  ->  s:*SUW(k *  1  * nfaCk3)) • 

Note  that  the  loop  is  not  closed  for  this  function.  to  verify 

the  program  using  the  functional  method*  this  function  must  be 

generalized  to  a  function  such  as 

f  *  s  :*  s  ♦  SUMk  *i  ♦1*n*aCk]>  . 

We  now  consider  the  relative  difficulties  of  synthesizing  a 
function  t  for  which  the  loop  is  closed  (for  a  functional  proof) 
and  synthesizing  an  adequate  loop  invariant  (for  an  inductive 
assertion  proof)*  If  we  have  a  satisfactory  f*  an  appropriate 
hypothesis  for  a  loop  invariant  is  I(XC*X)  iff  f (Q( X0> ) 5f ( X> •  We 
now  try  to  go  the  other  way*  Suppose  we  have  I(x0*x)*  can  we 

derive  from  that  a  function  f  for  which  the  loop  is  closed?  We 

motivate  the  result  as  follows:  we  could  obtain  an  equivalent 
program  by  modifying  the  initialization  to 

(non-det e mini st i ca l l y)  map  X0  to  X  if  I(XQ»X)  is  true*  The 
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modified  program  still  computes  the  same  function;  if  the 
initialisation  maps  A C  to  anything  other  than  g(xOl*  the  effect 
will  simply  be  to  save  the  loop  some  number  of  Iterations*  By 
the  sane  argument  that  was  used  to  show  the  loop  oust  compute  T  o 
(Q***1),  the  program  aust  also  compute  T  o  C I < XO *  X) ) •  Note 
that  the  loop  is  necessarily  closed  for  this  function;  otherwise 
the  invariant  would  be  violated*  ye  conclude  then  that  the 
synthesis  of  a  function  for  which  the  loop  is  closed  and  the 
synthesis  of  a  suitable  invariant  are  equivalent  problems  in  the 
sense  that  a  solution  to  one  problem  implies  a  solution  to  the 
other  problem*  The  translation  between  loop  invariants  and 
intermediate  hypotheses  in  a  subgoal  induction  proof  is  discussed 
in  [Norris  &  wegbreit*  19773* 

2  ifcfiOll CWtil :  An  inductive  assertion  proof  of  our 
program  might  use  the  invariant  s-SUN  (k #1 ,i ,aCk3 )  t  i<*n.  Note 
that  this  invariant  is  essentially  equivalent  to  f (0 txO))*f (X) 
(where  f  and  Q  are  as  defined  previously)*  Using  the  technique 
outlined  above*  me  may  derive  from  the  invariant 

f'  =  <s*SU*Ckt  Iti taCkl)  &  1<*n  ->  s : *$UN ( k *  1 , n* a [k 3 ) ) . 
Observe  that  this  is  quite  different  from  the  original  f,  but 
that  f '  is  quite  satisfactory  for  a  functional  proof  of 
correctness*  It  may  seem  puizling  that  f * <Q CxO) ) *f '( X )  is  the 
constant  invariant  TRUE  and  yet  Theorem  2  states  that  such  an 
invariant  must  be  f adequate •  This  is  not  a  c on t rad i c 1 1  on  * 
however*  since 

TRUE  &  1 >»n  ->  s*SUH(kf 1 , n*atk3) 

is  valid  for  any  state  in  D(f#)«  Similarly,  a  functional  proof 
that  the  loop  computes  f*  is  trivial  with  the  enception  of 
verifying  that  the  clcsure  requirement  is  satisfied*  This  is  no 
coincidence:  proving  closure  is  equivalent  to  demonstrating  the 

validity  of  the  loop  invariant* 
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7*  Summary 


Our  purpose  has  teen  to  explain  the  functional  verification 
technique  in  light  of  other  program  correctness  theories.  The 
functional  technique  is  based  on  Theorem  1  which  provides  a 
method  for  p ro v in g / C i spr o v ing  a  loop  correct  with  respect  to  a 
functional  $pe c i f i c a t  ion  for  which  it  is  closed* 

In  Theorem  2«  a  loop  invariant  derived  from  a  functional 
spec  if ica tion  is  shown  to  be  the  weakest  invariant  over  the 
domain  of  the  function  which  can  be  used  to  test  the  correctness 
of  the  loop*  Theorem  3  indicates  that  the  functional  correctness 
technique  for  loops  is  actually  the  special  case  of  the  axiomatic 
method  that  results  from  using  this  particular  loop  invariant  as 
an  inductive  assertion*  The  significance  of  this  observation  is 
that  functional  correctness  can  be  viewed  either  as  an 
alternative  correctness  procedure  to  the  inductive  assertion 
method  or  as  a  heuristic  for  deriving  loop  invariants* 

The  subgoal  induction  technique  seems  quite  similar  to  the 
functional  method;  the  two  techniques  often  produce  identical 
verification  conditions*  We  have,  however,  observed  an  example 
where  the  subgoal  induction  method  appears  superior  to  functional 
correctness  based  on  prime  program  decomposition*  More  work 
appears  necessary  ir  precisely  cha r a ct e r i z ing  these  situations 
and  determining  if  there  are  circumstances  under  which  the 
functional  method  is  more  advantageous  than  subgoat  induction* 

ye  have  examined  the  inductive  assertion  and  functional 
methods  for  dealing  with  initialized  loops*  We  have  shown  that 
the  problems  of  finoing  a  suitable  loop  invariant  and  finding  a 
function  for  which  the  loop  is  closed  are  identical*  The  result 
indicates  that  for  this  class  of  programs  the  two  methods  are 
theoretically  equivalent;  that  is,  there  is  no  theoretical 
justification  for  selecting  one  method  over  the  other* 
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